When he’s not reverse engineering malware, Marcus Hutchins (aka @MalwareTechBlog) can be found surfing, partying, or traveling. That’s to be expected for any typical 22-year-old, except for the part where he stopped the WannaCry malware outbreak. He did so by simply registering an unregistered domain the malware used to determine if it was inside a sandboxed environment.
What happened next kinda turned his life upside-down. His inbox exploded, his Twitter account blew up, and he was doxed by the British tabloids. But once things settled down a bit, he answered a few of our questions.
What motivates you to hack?
I've always enjoyed reversing malware so that I can understand all the cool techniques it uses, so no motivation is really needed to find and stop it.
Money is nice but I did this long before I got paid for it. I like to see reverse engineering like a puzzle where you put together the bits that are obvious and work upward until you have a full picture. It's definitely still more of a hobby to me than a job.
With WannaCry, when did you know you had something big?
The NHS attacks were what made me realize it. One or two reported infections can be put down to dodgy clicks or exploit-kits, but the sheer number of reports coming in simultaneously said this was something serious. My thought process was pretty much "oh s**t, this is serious" followed by "I should probably look into this."
Was the killswitch you discovered just a simple oversight by the malware’s creators or a brilliant technique (as with Necurs trojan) to slow down researchers?
Initially I thought it was a domain generation algorithm, as this is most responsible for when malware is querying unregistered domains. But once I saw the domain was hardcoded I believed it was a badly implemented sandbox detection similar to Necurs.
What advice would you give to organizations to avoid run-ins with malware?
Keep your systems up to date and never ever click "enable content" in an Office document or run script files received via email.
Can malware creators make just as much money by coming to the “good” side and fighting malware?
The profits from WannaCry are currently at $135,503, which isn't an unimaginable salary for a U.S. malware researcher. No matter how much money is made via crime, there is always the risk of being caught, in which case all assets would be seized. White hats don't have to face the risk of police one day taking all their money, and we have cookies.
Are you ever worried about malware creators coming after you personally?
An important thing I've learned in life is that worrying doesn't change the outcome. Journalists have done me no favours by posting my information online just so they could get a bit of ad revenue, but inevitably there's nothing I can do about it.
Has your Twitter feed returned to normal?
My Twitter is still significantly more active than since before the attack, but I'm getting used to it now.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.